3cc3b2e10a8a714206503c42623b0f50c4cf15a7c1fa4147ede6be98fddfb156

Analysis

max time kernel
3s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2023 13:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

detonator.cmd
Size

1KB
MD5

507e4c2852dd71317e33790246598bad
SHA1

a662044b8240c0fb7adeb845e809417ff9ad1427
SHA256

a1508608b0d0990674139d4f6923d6de59838257ec0832221bb7905eb5936a7e
SHA512

690562314ac5a610f9df35045d214a9c65bf416b9943385f6e997022cae3b6c44a30c6d44c0cdbcb16fd4c50d676303c2c70dc4b41e0b980635a2e909c9739ff

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\Control Panel\International\Geo\Nation	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\sysnative\Tasks\dqjg	cmd.exe
File created	C:\Windows\sysnative\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask	cmd.exe
File opened for modification	C:\Windows\sysnative\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask	cmd.exe
File created	C:\Windows\sysnative\Tasks\dqjg	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000_Classes\Local Settings	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
768	notepad.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 1844	4424	cmd.exe	80
PID 4424 wrote to memory of 1844	4424	cmd.exe	80
PID 1844 wrote to memory of 768	1844	cmd.exe	81
PID 1844 wrote to memory of 768	1844	cmd.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\detonator.cmd"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\system32\cmd.exe
  cmd.exe /c "C:\ProgramData\dqjg\vuso.ps1"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Windows\System32\notepad.exe
    "C:\Windows\System32\notepad.exe" "C:\ProgramData\dqjg\vuso.ps1"
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:768

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dqjg\vuso.ps1

Filesize
154KB

MD5
07f743d7d5bff6f276abdf9c782e3f91

SHA1
7dd2d5f5e1a7857b7173629139a7d1916b3977b2

SHA256
3aa145e796c24355657a378a74fcde3edd401736b75ec6446c085f813069c5d9

SHA512
357b9da6abf72319ddd7cd917e1deb36bf149c96388cfc7500c7cf0d321aba8dfcde8fb61f66e8128b5308330f27687d60d073b236a436994b33427ef60d2490

Download Submit